samba - Mar 2015 - "failed to lookup DC info for domain over rpc" when joining samba4 domain

Hi Rowland,

Please see comments inline.

On 10/03/15 08:51, Rowland Penny wrote:
> Your DC's must point to themselves for DNS and your domain clients must
> point to the DC's, anything outside the domain the DC's will be
obtain
> from the forwarders set on them.
This is contrary to what the wiki says.
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
This page indicates that as long as the client can resolve names in the 
domain DNS zone (in my case ads.connon.me.uk) they should be fine.
> What I think is happening: your client is asking for the DC from your
> forwarders, they do not know, so they ask the DC, who asks the
> forwarder, who does not know and so on.
I can confirm this isn't happening since I can resolve (for example) the 
SRV records on _ldap._tcp.ads.connon.me.uk through my forwarders, you 
can even test this yourself with `dig -t SRV 
_ldap._tcp.ads.connon.me.uk` or similar.

I'm currently looking into whether there are any records missing.

Regards,
Richard

On 10/03/15 14:11, Richard Connon wrote:
> Hi Rowland,
>
> Please see comments inline.
>
> On 10/03/15 08:51, Rowland Penny wrote:
>> Your DC's must point to themselves for DNS and your domain clients
must
>> point to the DC's, anything outside the domain the DC's will be
obtain
>> from the forwarders set on them.
>
> This is contrary to what the wiki says.
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> This page indicates that as long as the client can resolve names in 
> the domain DNS zone (in my case ads.connon.me.uk) they should be fine.
>
I think that you are referring to this line:

Your DNS server(s) must be able to resolve the AD DNS zone, because 
services, such as Kerberos, use it to locate other services in your 
network.

Above that line in the wiki is this:


Configure your Member Servers /etc/resolv.conf to use the DNS server(s) 
and search domain of your AD:

nameserver 192.168.1.1
search samdom.example.com

And if look further up 192.168.1.1 is the ip of a DC DNS server.

>> What I think is happening: your client is asking for the DC from your
>> forwarders, they do not know, so they ask the DC, who asks the
>> forwarder, who does not know and so on.
>
> I can confirm this isn't happening since I can resolve (for example) 
> the SRV records on _ldap._tcp.ads.connon.me.uk through my forwarders, 
> you can even test this yourself with `dig -t SRV 
> _ldap._tcp.ads.connon.me.uk` or similar.
>
AGGHHHH, your Domain DCs are resolvable on the internet, *they shouldn't be*

rowland at ThinkPad ~ $ dig -t SRV _ldap._tcp.ads.connon.me.uk

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> -t SRV
_ldap._tcp.ads.connon.me.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42601
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.ads.connon.me.uk.    IN    SRV

;; ANSWER SECTION:
_ldap._tcp.ads.connon.me.uk. 899 IN    SRV    0 100 389 
dc02.ads.connon.me.uk.
_ldap._tcp.ads.connon.me.uk. 899 IN    SRV    0 100 389 
dc01.ads.connon.me.uk.

> I'm currently looking into whether there are any records missing.
>
> Regards,
> Richard
>
Probably not, it just seems to be set up incorrectly.

Your AD domain should be a sub domain of your registered domain (if you 
have one) and should not be resolvable from the internet.

Rowland

Hello again,

Rowland, thanks for the pointers regarding AD DNS best practice. I'll
look into blocking my ads.connon.me.uk zone from external networks.

The root cause of my issue, however, turned out to be something
unrelated. I concluded that the problem occurs when the join process
needs to connect to the IPC$ share on the DC. For some reason the shares
on the DC were not working due to a missing module:
/usr/lib/x86_64-linux-gnu/samba/vfs/acl_xattr.so

Installing the debian package samba-vfs-modules this has resolved the
issues with my join!

Regards,
Richard